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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )□ Responsive to communication(s) filed on . 

2a)£3 This action is FINAL. 2b)Q This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1 935 CD. 11, 453 O.G. 21 3. 

Disposition of Claims 

4) £3 Claim(s) 1-22 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) IEl Claim(s) 1-22 is/are rejected. 

7) 0 Claim(s) is/are objected to. 

8) Q Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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a)D All b)Q Some * c)D None of: 

1 0 Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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Claim Rejections - 35 USC §103 


1. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

2. Claims 1, 3, 5-6, 11, 13, 15, 17, 19, 21-22 are sill rejected under 35 U.S.C. 103(a) as 
being unpatentable over Messmer in view of Hill, and further view of Newton's Telecom 
Dictionary. 

3. As per claims above, Messmer teaches outsourcing intrusion detection. Messmer also 
teaches that Counterpane manages intrusion-detection services, by having a black box that is 
located on a companies network. Thus, the Examiner asserts that by having the black box sensor 
that is located on the network, this constitutes a security subsystem, because the security 
subsystem continuously monitors and collects data and transmits the information to 
Counterpane's data center(i.e. Master system). Also, because the Applicant provides no specific 
definition of a master system, the Examiner broadly interprets a master system to be any system 
that analyzes information from the subsystem, because Messmer teaches that all data from 
customer's network is transmitted to the Counterpane's data center, than Messmer teaches a 
Master system. Further, Messmer teaches that the subsystem(i.e. black box) without human 
control is configured to correlate events across a plurality of devices associated with the network 
of computers and detect attacks on the computer, because Messmer teaches that a probe or 
"black box sensor" is put on the customer's network(i.e. target network) to accept audit data 
from a wide range of devices. Further, Messmer teaches that the black box sensor captures 
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syslog and audit outputs from Windows NT, Solaris, Linux servers; firewalls; ISS and intrusion 
detection software. Further, master system(i.e. Counterpane's data center) registers information 
pertaining to attacks detected by the security subsystem(i.e. black box), because Messmer 
teaches that the black box regularly transmits the network activity output to the master 
system(i.e. data centers). Furthermore, Messmer teaches that the data that is transmitted to the 
master system(i.e. data center) are footprints of attacks, and the data center has analysts that are 
trained to understand them. Lastly, Messmer teaches that the security subsystem(i.e. black box) 
and the master system(i.e. Counterpane's data center) communicates by using encryption, 
because Messmer teaches that the Counterpane's black box regularly transmits the network 
activity output in encrypted form to Counterpane's data center(i.e. master system). Further, the 
data that is transmitted is outputted to the master system, and registered so the information can 
be viewed by analysts. However, Messmer is silent on the security subsystem responding to the 
detected attacks. However, Hill discloses the security subsystem(i.e. agent) responds to the 
detected attacks(see col. 8, lines 12-17). Further, Hill discloses the security subsystem responds 
to detected attacks by selectively reporting a status of the network of computers to the master 
system(i.e. processor)(see col. 4, lines 53-61, col. 8, lines 12-21), and by testing the security 
subsystem(see col. 2, lines 66-67), allows the subsystem to respond to detected attacks by 
selectively reporting, testing, and implementing countermeasures(see col. 3, lines 1-41). It 
would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine Messmer with Hill to include the security subsystem responding to detected attacks, the 
motivation it that the security subsystem responding to detected attacks is a method that provides 
network manager with help that may be overwhelmed with both responding to an attack and 
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providing operational control and messages thorough the network(see col. 2, lines 50-53 of Hill 
et al.). Therefore, Hill system provides a network manager with knowledge of the severity and 
overall nature of the attack, and recommended actions(see col. 2, lines 54-56 of Hill). 

4. The Examiner asserts that since the Applicant does not provide a definition of a secure 
link(i.e. channel). The Examiner looks towards Newton's Telecom Dictionary. According to 
Newton's Telecom Dictionary, a secure channel(i.e. link) is defined as technology that provides 
privacy, integrity, and authentication in point-to-point communication(see pg. 636). Thus, the 
Examiner asserts that the encryption taught in Messmer-Hill, is a secure channel, because 
encrypting insures that information is protected from unauthorized viewing or use; therefore, 
insuring privacy, and integrity is maintained because if information is private the information 
cannot be manipulated, and authentication because in encryption in order to decode the 
information one must have the corresponding key to decode. Thus, the motivation to have an 
encrypted channel(i.e. link) is that the information that is sent between the two points of security 
subsystem and the master system is kept private and integrity is kept, and both parties can be 
authenticated, and thus prevents intruders or unauthorized users from manipulating information. 

5. As per independent claims 11, 21-22, and also dependent claims 3, 6, 15, 19, limitations 
have already been addressed see claim 1 above. Also, claims 11, 21-22, 3,6, 15, 19 include a 
master system hierarchically independent from the security subsystem. The Examiner asserts 
that Messmer discloses this because Messmer teaches that the master system(i.e. data center) is 
located in California or Virginia and that all data located on customer's network is transmitted to 
the master system. Also, the master system monitors the security subsystem around the clock, 
and the master system and Messmer also teaches that the master system is outsourced intrusion 
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detection. Thus, the Examiner asserts that the Master system is hierarchically independent from 
the security subsystem. 

6. As per claims 4, 7, Messmer teaches that a security subsystem is hierarchically 
subordinate to the master system, because Messmer teaches that the customer's network has a 
black box sensor that correlates all the information from devices on the customer's network(see 
claim 1, above), and this information is transferred to the Master system. Further, the master 
system(i.e. data center) of Messmer tells customers how to handle intrusions. Therefore, the 
Examiner asserts that the security subsystem is subordinate to the master system. 

7. As per claims 14, 18, Messmer teaches that the detection means(i.e. black box sensor) is 
one or more selected from the group consisting of an intrusion detection system, firewall and 
security subsystem. The Examiner asserts that Messmer meets this limitation, because the black 
box sensor detects attack on the network. 

Claim Rejections - 35 USC §103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

9. Claims 2, 8, 12, 16, 20 are still rejected under 35 U.S.C. 103(a) as being unpatentable 
over Messmer in view of Hill, and Newton's Telecom Dictionary, and further in view of 
Kurtzberg et al. 

10. As per the claims above, Messmer, Hill, and Newton's Telecom Dictionary teach 
comparing pseudo-attack(i.e. training attacks) to the attacks detected by the security system(see 
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col. 3, lines 20-36 of Hill). However, Messmer, Hill, and Newton's Telecom Dictionary do not 
disclose testing a system by having a psuedo(i.e. simulated) attack generator for generating 
attacks on the computer. However, Kurtzberg et al. discloses testing a system by having a 
psuedo(i.e. simulated) attack generator for generating attacks on the computer(see col. 3, lines 


11. It would have been obvious to modify Messmer, Hill and Newton's Telecom Dictionary, 
with Kurtzberg et al, the motivation to include a psuedo attack generator for generating attacks is 
this method of testing insures that integrity is maintained by testing the security subsystem 
thereby protecting the network form unauthorized penetrations (see col. 1, lines 35-40 of 
Kurtzberg et al.). Thus, integrity of a computer system can be tested reliably to improve or 
complement the system performance(see col. 1, lines 65-67 of Kurtzberg). 

12. Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over Messmer, Hill in 
view of Newton Telecom Dictionary, and further in view of Kurtzberg as applied to claim 8 


13. As per claim 9, the Examiner asserts that Messmer discloses this because Messmer 
teaches that the master system(i.e. data center) is located in California or Virginia and that all 
data located on customer's network is transmitted to the master system. Also, the master system 
monitors the security subsystem around the clock, and the master system and Messmer also 
teaches that the master system is outsourced intrusion detection. Thus, the Examiner asserts that 
the Master system is hierarchically independent from the security subsystem. 


21-28). 


above. 
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14. Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Messmer, Hill, in 
view of Newton Telecom Dictionary, and further in view of Kurtzberg as applied to claim 8 
above. 

15. As per claim 10, Messmer teaches that a security subsystem is hierarchically subordinate 
to the master system, because Messmer teaches that the customer's network has a black box 
sensor that correlates all the information from devices on the customer's network(see claim 1, 
above), and this information is transferred to the Master system. Further, the master system(i.e. 
data center) of Messmer tells customers how to handle intrusions. Therefore, the Examiner 
asserts that the security subsystem is subordinate to the master system. 


16. The Applicant has states that the limitations that have been added are not meet by prior 
art, the Applicant is urged to look at paragraph one, specifically, in regards to the new limitations 
Hill has been used to address these limitations. 

17. The Applicant states that Messmer' s black box is a dumb box that simply passes 
information through. The Examiner disagrees. Messmer' s black box captures output from a 
plurality of devices, and transmits this information to the master system. 


Response To Amendment 


Action is Final, Necessitated by Amendment 
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18. Applicants amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jenise E Jackson whose telephone number is (703) 306-0426. 
The examiner can normally be reached on M-Th (6:00 a.m. - 3:30 p.m.) alternate Friday's. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (703) 305-9648. The fax phone numbers for the 
organization where this application or proceeding is assigned are (703) 305-0040 for regular 
communications and (703) 308-6306 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 305-3900. 
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August 22, 2004 ~ 

EMMAMUtL L. MOISE 
PRiiMRY EXAMINER 


